Stacklok Insight is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
Java support in Trusty: Our holiday gift to you!
In the Java ecosystem, it’s common for applications to rely on hundreds of third-party dependencies. It’s a heavy lift for developers to evaluate all of those dependencies to make sure they’re being actively maintained and that they aren’t “abandonware” or malicious. But that evaluation is critical, because according to Sonatype's 9th Annual State of the Software Supply Chain report, "a significant portion (approximately 85%) of projects hosted on Maven Central are considered inactive, with fewer than 500 monthly downloads."
With Trusty’s support for Maven packages, we can do that evaluation work for you. Trusty can help you more easily make data-driven decisions about which dependencies to use for your Java projects.
Let’s walk through the steps of how to use Trusty to vet Maven open source packages.
First, head to trustypkg.dev and select Maven (Java) from the dropdown:
To find your target package, type your Maven coordinates in the format (groupId:artifactId) in the “Search Package” field. I’m a big fan of Spring Boot, so let’s start with a search for “org.springframework.boot:spring-boot”. Trusty will return the following results, sorted by highest Trusty score that matches the search string:
Navigating to the first entry, "org.springframework.boot:spring-boot," you can see detailed insight into the package:
Trusty’s scoring reflects the vitality of the Spring Boot community, with an impressive Trusty Score of 8.9. Let’s break that scoring down a bit. Our scoring system is based on a statistical model that analyzes public data about repos and authors on GitHub, including data for malicious packages, which tend to have low repo and author activity. It ranks packages linearly based on that data, providing a cumulative Trusty Score and individual scores for repo and author activity.
A Trusty Score of ‘5’ is the median, and ‘9’ would be in the 90th percentile (i.e., better than 90% of known packages). You can learn more about how Trusty Scoring is calculated here. We plan to introduce other dimensions for scoring beyond activity in the future.
Below the Trusty Score, you’ll see other package information, including Provenance and Shared Repositories.
With the Provenance section, we want to help you validate that a package is truly what it says it is, and can be traced back to its source repo. The open source project Sigstore makes it easy for developers to sign and verify their artifacts to establish provenance. The Maven ecosystem currently doesn’t support source of origin or build provenance verification, so we can’t provide this information for Maven packages—yet. The good news is that there is quite a bit of activity in the Java community to support Sigstore, so we hope to be able to add this information soon.
Shared Repositories helps you understand whether there are multiple packages pointing to the same repo. It’s common for malicious actors to create packages that “masquerade” as more popular ones, using their metadata and pointing to their repo (see an example here). This feature helps flag when that is happening. However, this is less concerning for Maven Central users when compared to other package management ecosystems that Trusty supports. This is because Sonatype, the organization responsible for Maven Central, effectively validates package metadata and verifies the source of origin. (You can find details of the validation checks that are performed here.)
Now that we’ve vetted Spring Boot and we have confidence that it’s an active and safe package, we might want to explore various web templating technologies to add to a Spring Boot application. The following table highlights the Trusty scores for a few popular templating frameworks we could use:
Trusty Link | Trusty Score |
7.3 | |
6.6 | |
5.7 |
You can use Trusty’s scoring alongside your specific functional or technical requirements to make more informed dependency choices.
Trusty is still experimental, and we would love your feedback! To get started, head to trustypkg.dev and give your favorite Java packages a search, then join us on Discord to share your thoughts and feedback!
Brian Dussault
Director of Engineering